04-06-2011 01:01 PM - edited 02-21-2020 05:16 PM
ASA5520 8.2(4) Ipsec client VPN authenticating with LDAP to MS DC.
This has been up and working without issue for months. Suddenly we are getting the following message when some users attempt to login:
Apr 06 2011 15:33:02 Group = VPN, Username = jdoe, IP = x.x.x.x, Remote peer has failed user authentication - check configured username and password
The username and password are proven good both in the MS network and when doing a AAA test on the ASA.
This is not happening to all users.
I did find some info about Kerberos and checking this in the AD Account: Do not require kerberos pre-authentication
Modifing this did not help.
Any ideas?
Thanks
04-06-2011 03:56 PM
Check the use for password about to expire. I have seen that a bug, if the password is about to expire it will fail the user authentication web though the AAA test works.
Sent from Cisco Technical Support iPhone App
04-08-2011 08:02 AM
Hi,
Could you please try the following:
test aaa authentication
Please paste the output of "sh run aaa" and "sh run tunnel-group
hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
04-11-2011 07:06 AM
t.j and Anisha - thnaks for the response.
t.j. - it doesnt appear we're hitting that bug
Anisha - test from ASA works fine.
What I am finding is the problem appears to be affecting certain hosts, not accounts. My account , for example, works fine on one PC , yet fails with the above error on another.
We have unistalled and re-installed the VPN client and it does not help.
Here is a log of a failing VPN client.
Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
4 09:59:31.906 04/11/11 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
5 09:59:32.031 04/11/11 Sev=Info/4 CM/0x63100002
Begin connection process
6 09:59:31.906 04/11/11 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
7 09:59:32.046 04/11/11 Sev=Info/4 CM/0x63100004
Establish secure connection
8 09:59:31.921 04/11/11 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
9 09:59:32.046 04/11/11 Sev=Info/4 CM/0x63100024
Attempt connection with server "X.X.X.X"
10 09:59:31.921 04/11/11 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
11 09:59:32.046 04/11/11 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with X.X.X.X.
12 09:59:31.921 04/11/11 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
13 09:59:32.062 04/11/11 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
14 09:59:31.937 04/11/11 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
15 09:59:32.062 04/11/11 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
16 09:59:32.031 04/11/11 Sev=Info/4 CERT/0x63600015
Cert (e=test@company.org,cn=Test VPN,o=CCCCC) verification succeeded.
17 09:59:32.125 04/11/11 Sev=Info/4 CERT/0x63600015
Cert (e=test@company.org,cn=Test VPN,o=CCCCC) verification succeeded.
18 09:59:32.125 04/11/11 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
19 09:59:32.125 04/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to X.X.X.X
20 09:59:32.203 04/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = X.X.X.X
21 09:59:32.203 04/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA, VID(Nat-T), VID(Frag)) from X.X.X.X
22 09:59:32.218 04/11/11 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
23 09:59:32.218 04/11/11 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
24 09:59:32.218 04/11/11 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
25 09:59:32.218 04/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to X.X.X.X
26 09:59:32.250 04/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = X.X.X.X
27 09:59:32.250 04/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Unity), VID(Xauth), VID(?), VID(?), NAT-D, NAT-D) from X.X.X.X
28 09:59:32.250 04/11/11 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
29 09:59:32.250 04/11/11 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
30 09:59:32.250 04/11/11 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x20000001
31 09:59:32.343 04/11/11 Sev=Info/6 CERT/0x63600034
Attempting to sign the hash for Windows XP or higher.
32 09:59:32.937 04/11/11 Sev=Info/6 CERT/0x63600035
Done with the hash signing with signature length of 256.
33 09:59:32.937 04/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to X.X.X.X
34 09:59:32.937 04/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to X.X.X.X
35 09:59:32.937 04/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to X.X.X.X
36 09:59:32.937 04/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to X.X.X.X
37 09:59:32.937 04/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to X.X.X.X
38 09:59:32.937 04/11/11 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
39 09:59:32.937 04/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
40 09:59:33.328 04/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = X.X.X.X
41 09:59:33.328 04/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from X.X.X.X
42 09:59:33.328 04/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = X.X.X.X
43 09:59:33.328 04/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from X.X.X.X
44 09:59:33.328 04/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = X.X.X.X
45 09:59:33.328 04/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from X.X.X.X
46 09:59:33.328 04/11/11 Sev=Info/5 IKE/0x63000073
All fragments received.
47 09:59:33.328 04/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG, VID(dpd)) from X.X.X.X
48 09:59:33.437 04/11/11 Sev=Info/4 CERT/0x63600015
Cert (cn=ASA5520colonie) verification succeeded.
49 09:59:33.437 04/11/11 Sev=Info/5 IKE/0x63000001
Peer supports DPD
50 09:59:33.437 04/11/11 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
51 09:59:33.437 04/11/11 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0554, Remote Port = 0x1194
52 09:59:33.453 04/11/11 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
53 09:59:33.453 04/11/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
54 09:59:34.359 04/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = X.X.X.X
55 09:59:34.359 04/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X
56 09:59:34.359 04/11/11 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
57 09:59:34.359 04/11/11 Sev=Info/4 CM/0x63100015
Launch xAuth application
58 09:59:40.375 04/11/11 Sev=Info/4 CM/0x63100017
xAuth application returned
59 09:59:40.375 04/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X
60 09:59:40.437 04/11/11 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
61 09:59:40.421 04/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = X.X.X.X
62 09:59:40.421 04/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X
63 09:59:40.421 04/11/11 Sev=Info/4 CM/0x63100015
Launch xAuth application
64 09:59:43.828 04/11/11 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
65 09:59:47.109 04/11/11 Sev=Info/4 CM/0x63100017
xAuth application returned
66 09:59:47.109 04/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X
67 09:59:53.828 04/11/11 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
68 10:00:03.828 04/11/11 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
69 10:00:13.828 04/11/11 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
70 10:00:17.468 04/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = X.X.X.X
71 10:00:17.468 04/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X
72 10:00:17.468 04/11/11 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
73 10:00:17.468 04/11/11 Sev=Info/4 CM/0x63100015
Launch xAuth application
74 10:00:17.468 04/11/11 Sev=Warning/2 IKE/0xE300009B
Immature Navigation Termination due to error (Navigator:199)
75 10:00:23.828 04/11/11 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
76 10:00:24.484 04/11/11 Sev=Info/4 CM/0x63100017
xAuth application returned
77 10:00:24.484 04/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X
78 10:00:24.531 04/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = X.X.X.X
79 10:00:24.531 04/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X
80 10:00:24.531 04/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X
81 10:00:24.531 04/11/11 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=8447269F65F34FAD R_Cookie=6A5B8C08EC8B2604) reason = DEL_REASON_WE_FAILED_AUTH
82 10:00:24.531 04/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to X.X.X.X
83 10:00:25.328 04/11/11 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=8447269F65F34FAD R_Cookie=6A5B8C08EC8B2604) reason = DEL_REASON_WE_FAILED_AUTH
84 10:00:25.328 04/11/11 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "X.X.X.X" because of "DEL_REASON_WE_FAILED_AUTH"
85 10:00:25.328 04/11/11 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
86 10:00:25.343 04/11/11 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
87 10:00:25.343 04/11/11 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
88 10:00:25.343 04/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
89 10:00:25.343 04/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
90 10:00:25.343 04/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
91 10:00:25.343 04/11/11 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
04-11-2011 11:09 AM
hi,
You are right. The problem is not with the account.
The debugs clearly state the reason for delete is authentication failure.
could you please check that the password types is correct. i.e. no spaces are entered. Also are any of the other users able to connect to the client from this server?
please let me know the OS of the client.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts
04-11-2011 01:52 PM
password is correct. I have a different laptop next to me and authentication works fine using the same account. This is affecting only a few users, all others are funtioning normally.
04-12-2011 03:18 AM
Hi,
This seems to be a hardware issue. It looks like the laptop is entering "space" in between the alphabets of the password.
Could try using an extended keyboard and test?
If this still not works then, please try uninstall and re-install of the client from your laptop.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
04-18-2011 06:56 AM
Un-install , re-install fixed it
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide